Kaminsky, Cache Poisoning, and Censorship

[Dean Anderson <dean@av8.com>]

[ Note: Post was moderated. ] 


> [ Moderators note: Post was moderated, either because it was posted by
>    a non-subscriber, or because it was over 20K.
>    With the massive amount of spam, it is easy to miss and therefore
>    delete relevant posts by non-subscribers.
>    Please fix your subscription addresses. ]
 
The moderators note is false, and deceives the Working Group. I am a
subscriber, and the post was not over 20K.
  
The Chairs have chosen to censor messages which are relevant to WG
business, but that are not exclusively technical.  The type of messages
they have said they will censor includes messages about RFC3979
compliance, messages about financial considerations for drafts, and
messages concerning the integrity of the IETF process as described by
RFC2026 section 6.5.1. In practice, they have blocked messages that
merely oppose the unsubstantiated assertions of the BIND Cartel (ISC,
Nomimum, UltraDNS, and Centergate Research)

See http://www.av8.net/IETF-watch/DNSEXT/Management.html

The assertion of personal attacks is a lie and a deception of the 
working group.

In 2000, messages from Dr. Bernstein regarding DNS cache poisoning 
attacks was also censored.  WG Chair Gudmundsson was involved in the 
censorship of those messages.


WG Chair Olafur Gudmundsson has demanded that I "agree not to engage in
personal attacks". Since I (Anderson) have never engaged in personal
attacks, this demand is based on an implied fiction. It is known as a
'loaded question' fallacy.  His demand is the same as the fallacious
question 'have you stopped beating your wife?" As in the wife-beating
fallacy, if I answer "no", then it seems as if I intend to continue
making personal attacks, implying misconduct. If I answer "yes", it
seems as if I concede to some past misconduct, also implying misconduct.  
WG Chair Gudmundsson was previously involved in the controversial
AXFR-clarify draft promoted by the BIND Cartel and was involved in the
deception of the DNSEXT WG over 1999-2002 through (at least) the
censorship of Dr. Dan Bernstein, who opposed the draft.

WG Chair Sullivan has specifically asserted that only technical messages
can be posted to DNSEXT, denying that RFC3979 compliance, financial
considerations, or discussion of the integrity of the process were
appropriate subject matter. Recently appointed, WG Chair Andrew Sullivan
has no relevant DNS experience, nor any long IETF experience. Sullivan
has been a system administrator at Affilias for a few years, and was a
protoge of Joe Abley, former ISC architech of DNS Anycast.  Sullivan had
also recently taken over the dubious IN-ADDR Required draft on DNSOP,
renamed "Considerations for the use of DNS Reverse Mapping", but
containing the same discredited claims as the IN-ADDR Required draft.

This abuse has to stop.

		--Dean




> On Mon, 11 Aug 2008, David Conrad wrote:
> > 
> > > Only SSL can protect you here.
> > 
> > As Dan Kaminsky points out: "SSL certs themselves are dependent on the  
> > DNS".
> 
> Kaminsky is wrong. SSL uses DNS to obtain an IP address to connect to a
> server, and then expects the server to produce a certificate, which the
> client verifies. Spoofing DNS does not enable the attacker to obtain the
> private key to the valid certificate.  The DNS domain information placed
> in a certificate merely allows the client to determine before
> verification if it got the certificate it asked for. However the wrong
> or fake certificate won't verify unless there is a fault in the
> Certification Authority (this happened with MS some years ago). But a
> spoofed DNS name going to a wrong server results in a failure to verify
> the certificate. So SSL is NOT "dependent on DNS".
> 
> Of course, if spoofed DNS sends the SSL connection to the wrong server,
> a DOS attack still results since one didn't get to the correct server. 
> In that sense, everything a user does is dependent on DNS. 
> 
> But it is not the case that your bank information can be stolen by this
> DNS attack, as Kaminsky seems to have told the mainstream press.
> 
> 		--Dean
> 
> 


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   





--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>